diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..6e92f57
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+tags
diff --git a/.pre-commit-hooks.yaml b/.pre-commit-hooks.yaml
new file mode 100644
index 0000000..0b2b260
--- /dev/null
+++ b/.pre-commit-hooks.yaml
@@ -0,0 +1,6 @@
+- id: encryption-check
+  name: Ansible Vault Encryption Check
+  description: Checks that vault files are encrypted
+  entry: encryption-check.sh
+  files: ((^|/)vault|vault.y[a]{0,1}ml$|.vault$)
+  language: script
diff --git a/README.md b/README.md
index ae819c2..6bbc11d 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,8 @@
 # ansible-pre-commit
 
-Pre-commit hooks for working with Ansible
\ No newline at end of file
+A set of [pre-commit](http://pre-commit.com) hooks that help with Ansible
+
+## Hooks
+
+### encryption-check
+Verifies that vault files are encrypted. Defaults to checking files starting with `vault`, ending with `.vault.yml` or ending in `.vault`
diff --git a/encryption-check.sh b/encryption-check.sh
new file mode 100755
index 0000000..f3eedc1
--- /dev/null
+++ b/encryption-check.sh
@@ -0,0 +1,17 @@
+#! /bin/bash
+# Verifies that files passed in are encrypted
+set -e 
+
+has_error=0
+for file in $@ ; do
+    head -1 "$file" | grep --quiet '^\$ANSIBLE_VAULT;' || {
+        echo "ERROR: $file is not encrypted"
+        has_error=1
+    }
+done
+
+if [ $has_error ] ; then
+    echo "To ignore, use --no-verify"
+fi
+
+exit $has_error
diff --git a/hooks.yaml b/hooks.yaml
new file mode 100644
index 0000000..0b2b260
--- /dev/null
+++ b/hooks.yaml
@@ -0,0 +1,6 @@
+- id: encryption-check
+  name: Ansible Vault Encryption Check
+  description: Checks that vault files are encrypted
+  entry: encryption-check.sh
+  files: ((^|/)vault|vault.y[a]{0,1}ml$|.vault$)
+  language: script